Hi! On Mon, Nov 24, 2025 at 6:53 AM Daniel Gustafsson <[email protected]> wrote: > The attached incorporates your tests, fixes them to make them pass. The > culprit seemed to be a combination of a bug in the code (the verify callback > need to be defined in the default context even if there is no CA for it to be > called in an SNI setting because OpenSSL), and that the tests were matching > backend errors against frontend messages.
The new v12 tests still don't pass for me (they all use "certificate verify failed", but the failure modes should be different). > + if (host->ssl_ca && host->ssl_ca[0] != '\0') The comment for HostsLine.ssl_ca, and the code that assigns it, implies to me that host->ssl_ca should never be NULL. Am I missing a case where it could be? On Wed, Dec 3, 2025 at 1:57 AM Heikki Linnakangas <[email protected]> wrote: > I propose that there is no GUC. In 'pg_hosts.conf', you can specify a > wildcard '*' host that matches anything. You can also specify a "no sni" > line which matches connections with no SNI specified. (Or something > along those lines, I didn't think too hard about all the interactions). That seems to position SNI as a feature that every DBA should have to think about by default. ("learn this file. you can't turn it off.") Is it, yet? Web servers enable SNI implicitly because name-based hosting is a top-level concept for users over there (hostnames are baked into the application layer). I would argue that we don't have that here. Maybe in the future someone will ask for that, but at that point don't you want a very different, name-based, config system? On Wed, Dec 3, 2025 at 3:28 PM Daniel Gustafsson <[email protected]> wrote: > > On 3 Dec 2025, at 22:27, Jelte Fennema-Nio <[email protected]> wrote: > > What if we make it so that if a pg_hosts.conf file exists, then the > > ssl_cert_file/ssl_key_file configs are ignored? And by default initdb > > would not create a file (or it would, but with the same default > > settings that we have now). > > Maybe. I'm not a big fan of magic-file-exist configurations Me neither. (I especially don't like the idea of ignoring a certificate+key setting that a user has taken the time to put into a config.) Thanks, --Jacob
